Related topics:

Would your site pass a privacy audit?

Advertisement

The growth of behavioral ad targeting technologies has focused more attention on what publishers do with the personally identifiable information they collect from site visitors.  A website privacy policy is a legally binding disclosure to site users about everything you do with all of the data you collect from them.  There are two great reasons to make sure your privacy policy is both accurate and well written.

Reason 1:  Protecting your company

Having a comprehensive, accurate privacy policy is critical in defending your company against lawsuits, especially in the face of privacy legislation now under consideration in Congress.  State attorneys general and the FTC currently have jurisdiction, and regularly sue and fine companies whose websites have inaccurate privacy policies.  The FTC goes the extra step of publicizing companies it penalizes, which is a pretty major PR blow.  These guys will cut you no slack for good intentions.  If your site attracts kids, or deals with health or financial information, or does business internationally, the legal risks are considerably greater.

Reason 2:  Persuading website users to trust you

If your business involves lead generation or behavioral targeting, you’d best have a privacy policy that non-lawyers can understand.  Clear, reassuring language is as important here as it is on any direct response landing page.  If you make money by delivering qualified leads to advertisers, you can bet that some of those leads are going to take a look at your privacy policy.  Address their concerns up front with transparency and you’ll convert a higher percentage of them.  Same goes for reassuring parents if you’re targeting their kids with your website. 

The dirty secret of most privacy policies

Many publishers too small to have in-house legal staff take a common shortcut to a privacy policy:  They copy them with minor edits from another site.  As long as you copy from a publisher that has pretty much the same business model and features as your site and an in-house legal team, you should be OK, right?  Not so much, it turns out.

Lots of data collection points = lots chances to miss something

Here are just a few of the ways your site may be collecting user data:

  • Site analytics
  • Member profiles
  • Subscriptions
  • Surveys
  • Internal ad server
  • 3rd-party ad server
  • Ad networks
  • Behavioral targeting platforms
  • Email
  • Affiliate programs
  • User-generated comments
  • Content recommendation engines

It’s unlikely you have a single person who understands all these systems and how they are used.  You’ll need to interview developers, sales, marketing and customer service at a minimum. 

Privacy Choice is a quick way to get a handle on some of that complexity.  Their tool runs a site audit to see what tracking cookies and beacons are present, from third parties such as web analytics firms, ad networks, exchanges and optimizers.  Privacy Choice has normalized the privacy policies of these third parties into four buckets: user anonymity, data sharing, uses of sensitive data, and policies for deleting user data over time. 

Don’t forget that data may also be collected through offline operations such as customer service, circulation, and outbound telemarketing.  If this information is used on your website, it needs to be included in your privacy policy.

The most common red flags

“We don’t share your information with 3rd parties”

It’s a warm and fuzzy statement that is nearly always false.  There are plenty of legitimate third parties that every site owner must share user information.  These include the site’s hosting company, the user’s own ISP, the company that delivers any purchases, the banks clearing credit card payments, and many more.

“We collect your information through the form you complete on the site.”

It is likely you are also collecting personal information about the user from e-mail, faxes, telephone calls, postal mail or other communications with them, as well as from outside sources such as credit card processors, database vendors and list brokers.

3 better approaches to a privacy policy

1. Privacy policy generators

These are a quick and easy way to generate an accurate disclosure that will cover the most common areas of concern.  They are better than the copy and paste approach.  However, the output of these tools is only as good as the knowledge that goes into answering their canned questions. 

The DMA’s privacy policy generator: It’s free and the 16-question process is reasonably comprehensive.  However, it’s targeted more to marketer sites than publisher sites, so the coverage of advertising-related issues is thin.

2.  Hire a privacy consultant

TRUSTe has a basic product with a privacy policy generator for $249/year.  Large publishers may want to look at TRUSTe’s enterprise privacy consulting services, which may be more cost-effective than hiring a specialty law firm at $650/hour and up.

There are several companies that, like TRUSTe, have built 3rd-party certification businesses focused on the needs of ecommerce sites.  Two of the larger players are McAfee Secure (formerly HackerSafe)  and Trust Guard. They scan your site and assure that it is protected against inadvertent data leaks.  The seals they provide can provide a conversion lift for consumer ecommerce sites, but they are not a substitute for a well-researched privacy policy. 

3.  Hire an attorney with online privacy expertise

An attorney familiar with online data rules and laws can guide you through the discovery process of mapping how your publication collects, uses and shares data.  This is essential if the policy is to be accurate as well as flexible enough for future use.  The International Association of Privacy Professionals (IAPP) certifies consultants and attorneys in this area of expertise, and you may be able to get a referral from them.  However, you’ll likely have to become a member to get access to the professionals they certify.

Updating your privacy policy

Your privacy policy is not a snapshot; it has to remain accurate over time.  If your data collection practices change and are no longer accurately described in your policy, the policy needs to change. Be careful if you are making major changes in your data usage, that you don’t use information collected under the earlier policy without getting permission from those users.  This is another reason to get it right the first time.  Part of adding any new product that has privacy implications (pretty much everything) should be determining whether it will require updating your privacy policy.

Like all journeys of self-discovery, creating a worthwhile privacy policy is not a trivial exercise.  However, it’s not all bad news.  Having a complete picture of how your company collects, uses and shares information can uncover opportunities to leverage the data you already have. 

 

Sponsored Resources


Join the discussion

By submitting this form, you accept the Mollom privacy policy.

Join the discussion

Log In or leave an anonymous comment.